Cybersecurity Now and In the Future – Our Shared Responsibility

October is Cyber Security Awareness Month when participating governments and private industry jointly sponsor advocacy campaigns to promote awareness and ensure that every person around the world has the proper information and resources to be safer and more secure online. As a founding member of the National Cyber Security Alliance (NCSA), Cisco has actively participated in and helped to promote Cyber Security Awareness Month since its inception in 2003.

This year’s Cyber Security Awareness Month theme – Our Shared Responsibility – underscores how we must all be responsible, accountable, and work together to improve our online safety and security. I encourage you to participate in the weekly themes and take continuous action to improve your online security.

Though I’m immersed in all things ‘cybersecurity’ throughout the year, Cyber Security Awareness Month is a strong reminder – a chance to stop and think about the world in which we live and to envision the future, while taking stock of what we’ve done in the past.

I think about the implications of our increasingly digital and connected lives. Whether I’m viewing it through a business, economic, or technological lens, the drive towards digital innovation – and the need for greater cybersecurity at its core – is explicit and pervasive. Not just for today or the near-term, for our very future. The result? Taking stock, developing a plan, and building for the future.

Are We There Yet?

Some might say our future is digital. My opinion is that we’re already there. Digital services, such as online healthcare, e-Government, and collaboration are all commonplace in our daily lives. Digital devices are found in all walks of life: from civic video cameras for our safety, to indicators showing how transportation flows through a city, to sensor grids determining air quality, when soil is prime for planting and produce is ready for harvest.

Today, connected devices are generating almost 300 times more data than all the people connected to the Internet. We connect 30 million new devices to the Internet every single week. That’s more than 4 million new devices per day! 2015 was the year that the Internet of Things (IoT) took off – the tipping point when IoT went from backrooms of the technology world to mainstream. The Internet of Things is not of the future… it’s here and now.

Think back to just 5 years ago. If we had these capabilities then, where would we be today? Now imagine digital occurring in every industry, in every business, in every government and every institution… because that is what’s happening around us. We will hit a point where we don’t know how to live without our digital systems.

Sounds Great, Right?

Not so fast. Our challenge is that the drive to digital and the securing of our systems and infrastructure are linked. The opportunity to go digital is ahead of the strategy of keeping it digitally safe.

If we fast forward just four years to 2020, we project there to be 5 terabytes of data per person and 50 billion devices, not just shipped, but fully connected, enabled, and active… almost double what it is today. What does that look like from a cyber-threat standpoint? How do the services using these sensors ensure their resiliency and data protection requirements? The data, devices, and services must be managed and secured.

We Protect, At Scale

At Cisco, we have nearly 200,000 networks that we protect every single day, which extrapolates to hundreds of thousands of customers in businesses, governments, universities, and other organizations with tens of millions of users. Our more than 300 threat researchers and other security professionals work tirelessly on the threats that are occurring on the Internet right now. We have hundreds of threat analytic engines that pull in and analyze 100 terabytes of threat telemetry data from about 3 petabytes of data every single day.

We block about 20 billion malware, spyware, virus, and other attacks per day. To provide a sense of scope and size, that’s almost three times as many people as there are on Earth. It’s greater than the total number of daily Google searches. That’s how important and how serious digital and cybersecurity are. That’s why we take it seriously at Cisco and why it’s equally important to you.

Evolving to Embedded Security

I believe we can do things differently today to attain our desired future outcomes, yet we need to make a significant leap forward. Though challenges are inherent and time is of the essence, industries, governments, and educational institutions alike must adapt and evolve. To make that leap in this digital world, organizations must embed cybersecurity purely into the fabric of their organization. It has to be a fundamental part of every organization’s purpose and strategy.

In the future, I believe that every institution will just do cybersecurity as a part of business – not as an adjunct, or an operational tax, or not do it at all. It has to be central in the strategy, planning, and execution of the organization. Cybersecurity also needs to be a core consideration for those who will bring new ideas, innovation, and answers to the new challenges we’re creating in this future. It’s all about infusing security into the very culture of how and what we do.

Tackling our Technical Debt

We build and create services and systems, and too often, leave them open to attack. Similar to driving on a road that is not quite up to par, IT has its version of an infrastructure problem going on right now and it’s a latent indicator. We’re taxing the assets of our infrastructure, leaving them vulnerable. So why are we surprised when we’re running outdated systems or not using the latest threat defenses that we find our systems, data centers, networks, and infrastructure vulnerable to attack?

Aging infrastructure exposes organizations to unnecessary and unacceptable risks. Of the devices across the Internet that we know are running today, 92 percent have an average of 26 vulnerabilities. Almost one-third of them are no longer going to be serviced, and 1 in 20 is no longer being recognized by the company that built them that they even exist. This is the Internet today, and it cannot be our tomorrow.

Controlling the Controllable

Now, extrapolate that growth as we progress in the digital era. That’s why we have to get our systems and infrastructure under control. And, it is under our control. It may be financially challenging for some, but we control it and the cost is greater if we don’t. Attackers are doing what they do because we’re leaving the door open, making it easy for them. Organizations must take steps to modernize their infrastructure to reduce vulnerabilities, protect critical assets, and prepare for digital transformation.

Controlling that which we can control is key. Most organizations simply don’t know with certainty what’s connected to their network and why it’s there. We are not developing mature processes yet, but can, and this calls for the strategies and the training that will create a maturity in this lifecycle. Patching may be hard work, but it’s essential and controllable.

We need to simplify while establishing individual norms of connecting myriad new devices to the network. While reducing complexity is important, speed is vital. Technology is changing every 1-2 years. Software releases are continuous. Every 6 minutes an update occurs, and those updates are what may save you. Acceleration is key to keeping pace with digitization. If you’re afraid that speed kills, it does… if you wait.

Building for the Future

In the 29 years I’ve been in cybersecurity, I believe this is the most critical time that this industry has ever faced. Business leaders today must stop and ask, “How do I do digital right?” “How do I get cybersecurity right?” “How can I be successful for the next 5 years and beyond?” And possibly the most important question we must ask of ourselves is: “What am I going to do differently?”

Cybersecurity is our shared responsibility. Because we all have a say in our business and technology, we must also view security as an inherently essential part of our organization’s purpose and strategy. We at Cisco knew that we needed to do something different, so we put money, people, and time into doing cybersecurity differently. We’re committed and building for that future… especially because that future is now.

I invite you to check back to this Security Blog regularly throughout Cyber Security Awareness Month as we cover weekly topics that will provide insights about security, safety, and privacy. You can learn more about National Cyber Security Awareness Month in the US, and European CyberSecMonth across the European Union, as well as other corresponding cybersecurity advocacy campaigns around the world.

I Love Security, and is not only a simple Antivirus to install to be compliant with X,Y,Z regulation or pretend to be "Protected".
Is a complete Strategy around Products, Services, People, Assets and letting the Organization innovate and be proactive at the same time in this Digital World.
Letting Cisco to be the trusted advisor for our customers is our great value for them, because We can walk with them and let them achieve their Organizations Objetives.
:-)
PS: Wonderful Post @ http://blogs.cisco.com/author/johnstewart

I read the article and found its context very interesting. Most organization today invest little to no investment in their network infrastructure, but expect systems to perform optimally.
I believe the work CISCO is doing is great, and would urge people to take this appeal serious and start investing in infrastructure that are current and supported by OEM’s like CISCO.
It’s my personal view that rather to invest, to minimize the risk of any attack, which can be detrimental to any business.
Information flows through the Internet daily and if left expose, can be found in the wrong hands. Let’s work together to support this crucial initiative.

Well,this topic is something which is the dailies
But the question is how much a person is aware about
We are just blaming the organizations that they are unaware of it but i think that as we as ITians we know what is good for a network or not
Tell me how a person is supposed to know that without proper knowledge
They are not leaving data to be attacked its just that they know very little about it
To build a more secure future we have to first aware the organizations & others about how to keep infrastructers safe from these cyberattacks,
Increase their knowledge on this topic letting them know about it
Its not cyberattacks which is threatning infrastructures its the illiteracy of them about not knowing about all this.

Thanks Jon for sharing this great article with us.
We need to accomplish this task step by step :
1- first awareness to all interesting party.
2 - create leaders and cyber security guards around the world.
3- this task not only the job of one company. It is out duty to protect our asset. All.
4 - We need strong regulations from the governments , hacking our networks and systems very serious crime.
5 - countries supporting such kind of activity must be stoped.
6 - institutes and university must participate and educate students hacking is an ethical.
Thanks

Definitely, you are right, regarding this important issue that is a daily task and everybody's concern. I agree with you that is a shared responsibility at all levels. Your blog post brings the facts, and awaits for a responsive action. Thanks for sharing it. It's worth to share with others colleagues as well in my twitter account. deeply appreciated. My respects.

John-
Good job bringing up the challenges we face. I am wondering though, who are the people that threaten the information databases. It seems hard to believe that all these attacks are unstructured. Looking online there seems to be little data or investigation on solving the root cause.

I'm not sure why it matters who are the people who threaten our systems. There will always be more bad actors, no matter how many we take down. We have to build resilent solutions employing defense-in-depth methods to stop a variety of bad actors.

@Jennie: I agree and disagree at the same time (I'm a Gemini, go figure). Agreed that we all should focus on resiliency and DiD to your point. That said, security companies and law enforcement need to try and get at those doing it, to try and stop at least some of it from happening and/or disrupt it. Law and rules of the road have a place here, I think?

@Terry Tower: Where there is information, there is value, so it really comes down to what data there is that can be sold, monetized, ransomed, etc. It can be an external threat, and insider threat, or just a systems threat. As we continue to rely on infra and data, and go further into digitization, it ups the "value" of data itself...

Great summary that not only is a strong reminder of our need to make security central to our architectural strategy w/ our customers, but this has great data points that will resonate both internally and externally. As always, well done, John.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.